Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.

  • godless@lemmy.world
    link
    fedilink
    English
    arrow-up
    311
    arrow-down
    5
    ·
    1 year ago

    I live in China and this software is cancerous not just in the encryption failure, it also nestles into a computer like a trojan. Creates 2 fallback installations and will reinstall itself after removal if you reboot in between, unless you get rid of all 3 installations at once, where they are deliberately trying to obfuscate the uninstall button (triple confirmation, swapping the confirm/cancel buttons and button background colors, etc.).

    It’s a nasty piece of crap that come preloaded on any phone (android, at least) and Windows-PC here.

  • nomadjoanne@lemmy.world
    link
    fedilink
    English
    arrow-up
    141
    arrow-down
    12
    ·
    edit-2
    1 year ago

    Didn’t swiftpad or whatever its called send every key pressed to Microsoft?

    Not a China shill. China is horrible. Microsoft less so as they don’t commit genocide in slow motion. But still, I think this sort of thing is more common than we think.

    Use FOSS.

    • dx1@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      1 year ago

      What are the best FOSS options for Android keyboard apps? I’ve been struggling with this lately.

      • nomadjoanne@lemmy.world
        link
        fedilink
        English
        arrow-up
        15
        ·
        1 year ago

        I use OpenBoard (it’s available on fDroid. Maybe the play store too).

        I don’t know if it’s the best but I like it. If you type in multiple languages you do need to hit a “language switcher” key on the keyboard to switch to the autocorrect for that language. A very minor complaint. Otherwise it’s great.

        And it will learn swear words. No more ducking ducks.

        • realherald@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          F-Droid says the app hasn’t been updated in the last 14 months. Is the project still worked on? It says beta on the website.

          • makingrain@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            ·
            edit-2
            1 year ago

            Yes.. The pitfalls of FOSS is that some dude is working on it when they have free time. I’ve been using it for 2 years and can’t say I mind… would like to have the word suggestions, though.

        • Scrappy@feddit.nl
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          Thanks for the recommendation. This comment is typed using a freshly installed florisboard keyboard :)

    • Spambox@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      1
      ·
      1 year ago

      Think you mean SwiftKey which Microsoft just introduced bing AI into that you can’t turn off. I 100 percent assume they now use all your typing data to train their ai too. They won’t even let you use themes without logging in to an account so I again assume they also tie data to accounts.

    • Chewy@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Yes that’s why I’ve disabled Internet access for my keyboard since I haven’t found a FOSS one with all the features I want. Not that I need them but they’re nice and blocking network access is built in GrapheneOS anyway.

  • Goodie@lemmy.world
    link
    fedilink
    English
    arrow-up
    97
    arrow-down
    1
    ·
    1 year ago

    It’s stories like this that don’t surprise me as much as make me ask: How the fuck do you store and process this much data to get anything useful out of it.

    • toofpic@lemmy.world
      link
      fedilink
      English
      arrow-up
      54
      ·
      1 year ago

      You just save the first 50 digits typed after some email is typed, and you have all the passwords you need!

      • Goodie@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        1 year ago

        This only applies if a username is a email

        And if it is then what happens when people actually email someone? Autocorrect during login?

        • ultimate_question@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          1 year ago

          I don’t think they’re saying that method would yield 100% clean data but it would give you all the “necessary” data with the absolute bare minimum storage requirement. At some point people will log into their email and for most people if you have their email password you have the password they use for everything

        • WarmSoda@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          They weren’t describing a use case for every single type of situation.

    • WarmSoda@lemm.ee
      link
      fedilink
      English
      arrow-up
      38
      arrow-down
      2
      ·
      1 year ago

      I could be wrong, and this is a generalization of any country you can name, but my impression is data is stored on everyone so when they decide someday to look you up they already have all the data collected. It’s not really processed until needed.

      • TheEntity@kbin.social
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        Did you ever see how an average person types? It’s not the amount of data that is the problem. We have too much dumb data!

      • Steeve@lemmy.ca
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        The real answer is compute power. At the moment it’s very expensive to run the computations necessary for big LLMs, I’ve heard some companies are even developing specialized chips to run them more efficiently. On the other hand, you probably don’t want your phone’s keyboard app burning out the tiny CPU in it and draining your battery. It’s not worth throwing anything other than a simple model at the problem.

  • thorbot@lemmy.world
    link
    fedilink
    English
    arrow-up
    69
    arrow-down
    4
    ·
    1 year ago

    Oh wow, who would have ever thought they’d do that? What a fucking surprise.

  • punseye@lemmy.world
    link
    fedilink
    English
    arrow-up
    59
    arrow-down
    8
    ·
    1 year ago

    As if other keyboard apps are any different, I don’t think Microsoft bought SwiftKey just for fun?!

  • kicksystem@lemmy.world
    link
    fedilink
    English
    arrow-up
    52
    arrow-down
    2
    ·
    1 year ago

    I don’t get it? Why are they talking in the article about not using the right type of encryption. The problem isn’t the encryption, but the fact that it is sending your keystrokes to the mothership, right?

    • TeddE@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      1
      ·
      1 year ago

      I recommend free and open source software for everyone. Everything on this list is curated to feature the best alternatives to common proprietary software (according to Linux Cafe):

      https://gitlab.com/linuxcafefederation/awesome-alternatives/-/blob/master/README.md

      This list is good free, open source (FOSS) Android keyboards:

      https://github.com/offa/android-foss#-keyboard

      I think the best two are Simple Keyboard and AnySoftKeyboard. Simple Keyboard is pleasant to use, but is missing a several advanced features. ASK would be perfect if the swipe typing worked (it’s currently listed as beta, and is mostly actuate, but unfortunately when it does make a mistake fixing it is almost painful).

      Finally, try to get comfortable going to alternativeto.net when you get frustrated with software. Worst case scenario you get frustrated with different software for a bit and switch back. Of course it notes the price and license model for each alternative.

      • Cosmic Cleric@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        ASK would be perfect if the swipe typing worked (it’s currently listed as beta, and is mostly actuate, but unfortunately when it does make a mistake fixing it is almost painful).

        It crashes for me so often that I finally gave up using it.

        Also there was a weird bug of where if you were working on a long document, towards the bottom of the document all of a sudden it will drag you all the way up to the top of the document, so then you had to scroll all the way back to where you were before, at the bottom of the document.

  • Diabolo96@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    119
    arrow-down
    85
    ·
    edit-2
    1 year ago

    The people here acting like their Gboard doesn’t do the same is so funny.

    Edit : never used nor installed tiktok.

      • knock@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        4
        ·
        1 year ago

        I mean he’s not wrong, but also not really the same thing. Gboard does send a substantial amount of data about the things you typed to google. It is supposedly anonymous, but they do this to get anylitics, and they use this data to improve the suggestions given to you.

        There has been at least one article where someone intercepted the data leaving from Gboard and found it’s either unencrypted or just hashed into something like base64. This was a while back so things hopefully changed.

        While google does try not to phone home users passwords, how can you tell what is and isent private?

      • Diabolo96@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        28
        ·
        1 year ago

        Even if i had it, do you honestly think i would waste my life to be completely forgotten and left to rot for disclosing it like Snowden. Yep, no one will ever reveal anything after that shit show.

      • Diabolo96@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        5
        ·
        edit-2
        1 year ago

        Did you read it ? Can you share the part with relevant info. I tried to read it but it kept going abouts how Gboard and the Microsoft keyboard both gather huge amount of data and yet that both are opaque and you can’t know what data is sent to the server backend.

        Also, ever heard of 5,9 and 14 eyes ?

        • Avid Amoeba@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Google doesn’t sell to data brokers. Not yet at least. They have a competitive advantage they will lose if they sold their data (our data) to third parties, especially third party resellers. If/when they begin circling the drain, that may change.

      • ShovelLiz@lemmy.zip
        link
        fedilink
        English
        arrow-up
        27
        arrow-down
        3
        ·
        1 year ago

        I mean… Does It change anything? They are owned by a board of directors that want profits over anything else

      • Diabolo96@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        17
        arrow-down
        2
        ·
        1 year ago

        Man, Snowden wasted his entire life to tell you USA literally spy on everything you do and when caught their answer was : yeah, so what you gonna do about it, maybe you should do the same.

      • echo64@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        4
        ·
        edit-2
        1 year ago

        no they are just compelled by the state and secret courts which is totally different obviously

      • Hazdaz@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        13
        ·
        1 year ago

        I love how people overlook this part. You get all the knuckledraggers who want to claim the US is somehow just as bad as China is.
        The anti-American sentiment in here is obnoxious.

  • s20@lemmy.ml
    link
    fedilink
    English
    arrow-up
    35
    arrow-down
    4
    ·
    edit-2
    1 year ago

    And the Platinum Award for Least Surprising News Headline goes to…

  • sugarfree@lemmy.world
    link
    fedilink
    English
    arrow-up
    31
    arrow-down
    1
    ·
    1 year ago

    These findings underscore the importance for software developers in China to use well-supported encryption implementations such as TLS instead of attempting to custom design their own.

    lol.

    • PutangInaMo@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      1 year ago

      And this is the only point of the article. Idk what all these other comments are on about, but this article is outlining lack of standardized protocols that made the software vulnerable to network eavesdropping.

      This doesn’t point to a big CCP conspiracy, it’s just bad design.

  • Cam@lemmy.world
    link
    fedilink
    English
    arrow-up
    32
    arrow-down
    4
    ·
    1 year ago

    Never use a closed source keyboard app. It can read what you send for messages, websites you go to, search engine queries.